Page 3
TOE Function Access Control SFP ................... 39 6.3..................40 ECURITY UNCTIONAL EQUIREMENTS 6.3.1. Class FAU: Security audit ....................41 6.3.2. Class FCO: Communication .................... 43 6.3.3. Class FCS: Cryptographic support ................... 43 Copyright 2013 Xerox Corporation. All rights reserved.
User Data Protection – Disk Encryption (TSF_FDP_UDE) ..........73 7.1.8. User Data Protection – IP Filtering (TSF_FDP_FILTER) ........... 73 7.1.9. Network Security (TSF_NET_SEC) ................... 73 7.1.10. Security Management (TSF_FMT) ................73 GLOSSARY......................77 ACRONYMS ......................81 10. BIBLIOGRAPHY ...................... 83 Copyright 2013 Xerox Corporation. All rights reserved.
Page 5
............... 59 ABLE UFFICIENCY OF SECURITY FUNCTIONAL REQUIREMENTS 31: SFR ......................65 ABLE DEPENDENCIES SATISFIED 32: EAL2 ( ALC_FLR.3) SAR ..........67 ABLE AUGMENTED WITH DEPENDENCIES SATISFIED 33: A ..........................81 ABLE CRONYMS Copyright 2013 Xerox Corporation. All rights reserved.
ST and TOE Identification Table 1 below presents key identification details relevant to the CC evaluation of the WorkCentre 5845, 5855, 5865, 5875, 5890, 7220, 7225, 7830, 7835, 7845, 7855 & ColorQube 9301, 9302, 9303. Table 1: ST and TOE identification...
1.2.1. Usage and Security Features The WorkCentre 5845, 5855, 5865, 5875, 5890, 7220, 7225, 7830, 7835, 7845, 7855 & ColorQube 9301, 9302, 9303, the Target of Evaluation (TOE), is a multi-function device (MFD) that copies and prints with scan and fax options.
Secure Shell (SSH) File Transfer Protocol (SFTP) and TLS are available for protecting document transfers to a remote file depository. o Internet Protocol Security (IPsec) support is available for protecting communication over IPv4 and IPv6 networks. Copyright 2013 Xerox Corporation. All rights reserved.
Standard (FIPS) 201 Personal Identity Verification Common Access Card (PIV-CAC) compliant smart cards and readers or equivalent. In support of smart card authentication, a Windows Domain Controller must also be present in the environment. Copyright 2013 Xerox Corporation. All rights reserved.
1.3.1. Physical Scope of the TOE The TOE is an MFD (WorkCentre 5845, 5855, 5865, 5875, 5890, 7220, 7225, 7830, 7835, 7845, 7855 & ColorQube 9301, 9302, 9303) that consists of a printer, copier, scanner, fax (if installed) and associated administrator and user guidance.
Xerox ColorQube 9301/9302/9303 February 2013 ConnectKey Controller User Guide Secure Installation and Operation of Your Xerox WorkCentre 5845, 5855, 5865, 5875, May 2013 5890, 7220, 7225, 7830, 7835, 7845, 7855 & ColorQube 9301, 9302, 9303 The TOE’s physical interfaces include a power port, an ethernet port, USB ports, serial ports, fax ports (if fax accessory is installed), LUI with keypad, a document scanner, a document feeder and a document output.
Page 13
The TOE utilizes digital signature generation and verification (RSA), data encryption (TDES, AES), key establishment (RSA) and cryptographic checksum generation and secure hash computation (HMAC, SHA-1) in support of disk encryption, SFTP, TLS and IPsec. Copyright 2013 Xerox Corporation. All rights reserved.
LUI and WebUI. User and role management is only accessible via the Web UI. The TOE is capable of verifying the integrity of the TSF at the request of the administrator. Copyright 2013 Xerox Corporation. All rights reserved.
Smart eSolutions. Suite of features that provide free services to enable administration of metered billing and supplies replenishment plans for printers on a network. Xerox Extensible Interface Platform (EIP). Allows independent software vendors and partners to develop personalized and customized document management solutions. These solutions can be integrated and accessed directly from the printer control panel.
ALC_FLR.3, and the following additional packages from IEEE Standard Protection Profile for Hardcopy Devices in IEEE Std 2600™ -2008 Operational Environment B (IEEE Std. 2600.2-2009): 2600.2-PRT, SFR Package for Hardcopy Device Print Functions, Operational Environment B Copyright 2013 Xerox Corporation. All rights reserved.
(including iterated) SFRs from CC Part 2 shown in Table 5. Table 5: IEEE Std. 2600.2-2009 common SFR augmentations Family Augmentation Audit FAU_STG.1, FAU_STG.4 Cryptographic Support FCS_COP.1, FCS_CKM.1, FCS_CKM.2, FCS_CKM.4 Copyright 2013 Xerox Corporation. All rights reserved.
The packages shown in Table 6 from IEEE Std. 2600.2-2009 have been augmented with additional (including iterated) SFRs from CC Part 2. Table 6: IEEE Std. 2600.2-2009 package augmentations Package Augmentation FDP_IFC.1 (FILTER), FDP_IFF.1 (FILTER) Copyright 2013 Xerox Corporation. All rights reserved.
User Data are data created by and for Users and do not affect the operation of the TOE Security Functionality (TSF). This type of data is composed of two objects: User Document Data, and User Function Data, as shown in Table 8. Copyright 2013 Xerox Corporation. All rights reserved.
Cryptographic keys configuration settings Device service and diagnostic data X.509 Certificate (TLS) User IDs and Passwords User Access Permissions 802.1x Credentials and Configuration IP filter table (rules) Email Addresses for fax forwarding Copyright 2013 Xerox Corporation. All rights reserved.
(Create, Modify, Delete), and those that invoke a function (Execute). 3.1.4. Channels Channels are the mechanisms through which data can be transferred into and out of the TOE. In this Security Target, four types of Channels are allowed: Copyright 2013 Xerox Corporation. All rights reserved.
TOE in accordance with those policies and procedures. A.ADMIN.TRUST Administrators do not use their privileged access rights for malicious purposes. Copyright 2013 Xerox Corporation. All rights reserved.
TSF Confidential Data may be disclosed to unauthorized persons T.CONF.ALT D.CONF TSF Confidential Data may be altered by unauthorized persons 3.3.2. Threats Addressed by the IT Environment There are no threats addressed by the IT Environment. Copyright 2013 Xerox Corporation. All rights reserved.
P.INTERFACE.MANAGEMENT To prevent unauthorized use of the external interfaces of the TOE, operation of those interfaces will be controlled by the TOE and its IT environment. Copyright 2013 Xerox Corporation. All rights reserved.
The TOE shall provide procedures to self-verify executable code in the TSF. O.AUDIT.LOGGED The TOE shall create and maintain a log of TOE use and security-relevant events, and prevent its unauthorized disclosure or alteration. Copyright 2013 Xerox Corporation. All rights reserved.
TOE external interfaces. OE.USER.AUTHENTICATED The IT environment shall provide support for user identification and authentication and protect the user credentials in transit when TOE operates in remote identification and authentication mode. Copyright 2013 Xerox Corporation. All rights reserved.
This section demonstrates that each threat, organizational security policy, and assumption are mitigated by at least one security objective for the TOE, and that those security objectives counter the threats, enforce the policies, and uphold the assumptions. Copyright 2013 Xerox Corporation. All rights reserved.
O.DOC.NO_DIS protects D.DOC may be disclosed to from unauthorized disclosure unauthorized persons O.USER.AUTHORIZED establishes user identification and authentication as the basis for authorization OE.USER.AUTHORIZED establishes responsibility of the TOE Owner to appropriately grant authorization Copyright 2013 Xerox Corporation. All rights reserved.
Page 29
T.PROT.ALT TSF Protected Data O.PROT.NO_ALT protects may be altered by D.PROT from unauthorized unauthorized persons alteration O.USER.AUTHORIZED establishes user identification and authentication as the basis for authorization Copyright 2013 Xerox Corporation. All rights reserved.
Page 30
P.USER.AUTHORIZATION Users will be O.USER.AUTHORIZED authorized to use the establishes user identification and authentication as the basis for authorization to use the TOE Copyright 2013 Xerox Corporation. All rights reserved.
Page 31
O.INTERFACE.MANAGED interfaces will be manages the operation of external controlled by the TOE interfaces in accordance with and its IT environment. security policies OE.INTERFACE.MANAGED establishes a protected environment for TOE external interfaces Copyright 2013 Xerox Corporation. All rights reserved.
Page 32
Administrators. A.USER.TRAINING TOE Users are aware OE.USER.TRAINED establishes of and trained to follow responsibility of the TOE Owner to security policies and provide appropriate User training. procedures Copyright 2013 Xerox Corporation. All rights reserved.
Page 33
Direct forwarding of data from one external interface to another one requires explicit allowance by an authorized administrative role. Management: FPT_FDI_EXP.1 Copyright 2013 Xerox Corporation. All rights reserved.
Page 34
FPT_FDI_EXP.1 Restricted forwarding of data to external interfaces Hierarchical to: No other components. Dependencies: FMT_SMF.1 Specification of Management Functions FMT_SMR.1 Security roles. Copyright 2013 Xerox Corporation. All rights reserved.
Page 35
FPT_FDI_EXP.1.1 The TSF shall provide the capability to restrict data received on [assignment: list of external interfaces] from being forwarded without further processing by the TSF to [assignment: list of external interfaces]. Copyright 2013 Xerox Corporation. All rights reserved.
ID for the iteration (e.g. “(FILTER)”). The resulting component ID would be “FDP_IFC.1 (FILTER)”. Where an iteration is identified in rationale discussion as “all”, the statement applies to all iterations of the requirement (e.g. “FMT_MTD.1 (all)”) Copyright 2013 Xerox Corporation. All rights reserved.
Denied, except when U.NORMAL, the associated Delete U.ADMINISTRATOR D.FUNC is deleted. Denied, except for U.NORMAL, his/her own +SCN Read, Delete U.ADMINISTRATOR documents Denied, except for U.NORMAL, +CPY Read, Delete his/her own U.ADMINISTRATOR documents Copyright 2013 Xerox Corporation. All rights reserved.
U.ADMINISTRATOR +faxOUT Delete Allowed (System Administrator) Table 22: Attributes Definition Designation Definition +PRT Indicates data that are associated with a print job. +SCN Indicates data that are associated with a scan job. Copyright 2013 Xerox Corporation. All rights reserved.
SFR Packages in Section 12.3 via the Web UI or the LUI: Print (PRT) Scan (SCN) Fax (faxIN / faxOUT) Copy (CPY) Document Storage and Retrieval (DSR) Copyright 2013 Xerox Corporation. All rights reserved.
Security attribute based access control FDP_IFC.1 Subset information flow control FDP_IFF.1 Simple security attributes FDP_RIP.1 Subset residual information protection FIA_ATD.1 User attribute definition FIA_UAU.1 Timing of authentication FIA_UAU.7 Protected authentication feedback FIA_UID.1 Timing of identification Copyright 2013 Xerox Corporation. All rights reserved.
Page 41
PP/ST, [for each Relevant SFR listed in Table 24: (1) information as defined by its Audit Level (if one is specified), and (2) all Additional Information (if any is required), Copyright 2013 Xerox Corporation. All rights reserved.
This audit event is required by the addition of the IEEE 2600.2-SMI SFR Package. The developer added it to the existing table of events rather than adding an iteration for FAU_GEN.1. Copyright 2013 Xerox Corporation. All rights reserved.
Hierarchical to: No other components. Dependencies: [FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation] FCS_CKM.4 Cryptographic key destruction Copyright 2013 Xerox Corporation. All rights reserved.
User Access Control SFP in Table 21]. Application Note: This SFR covers FDP_ACC.1 (a) and FDP_ACC.1 from all claimed packages (PRT, SCN, CPY, FAX, DSR) in the IEEE Std. 2600.2 Copyright 2013 Xerox Corporation. All rights reserved.
Page 46
(PRT, SCN, CPY, FAX, DSR) in the IEEE Std. 2600.2 6.3.4.4. FDP_ACF.1 (FUNC) Security attribute based access control Hierarchical to: No other components. Dependencies: FDP_ACC.1 Subset access control FMT_MSA.3 Static attribute initialisation Copyright 2013 Xerox Corporation. All rights reserved.
Page 47
FDP_IFF.1.1 (FILTER) The TSF shall enforce the [IPFilter SFP] based on the following types of subject and information security attributes: [ Subjects: External entities that send traffic to the TOE o IP address, Copyright 2013 Xerox Corporation. All rights reserved.
Class FIA: Identification and authentication 6.3.5.1. FIA_ATD.1 User attribute definition Hierarchical to: No other components Dependencies: No dependencies FIA_ATD.1.1 The TSF shall maintain the following list of security attributes belonging to individual users: [username, password, role]. Copyright 2013 Xerox Corporation. All rights reserved.
Page 49
[subjects will be assigned the security attributes of the user that they are acting on behalf of]. FIA_USB.1.3 The TSF shall enforce the following rules governing changes to the user security attributes with the subjects Copyright 2013 Xerox Corporation. All rights reserved.
Application Note: This SFR is FMT_MSA.1 (b) from The IEEE Std. 2600.2 6.3.6.3. FMT_MSA.3 (USER) Static attribute initialisation Hierarchical to: No other components. Dependencies: FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles Copyright 2013 Xerox Corporation. All rights reserved.
Page 51
Application Note: This SFR is part of FMT_MTD.1 from The IEEE Std. 2600.2 PP. 6.3.6.6. FMT_MTD.1 (MGMT2) Management of TSF data Hierarchical to: No other components. Dependencies: FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions Copyright 2013 Xerox Corporation. All rights reserved.
Page 52
Fax Forwarding Email Addresses] to [U.ADMINISTRATOR (System Administrator)]. 6.3.6.9. FMT_SMF.1 Specification of Management Functions Hierarchical to: No other components. Dependencies: No dependencies. FMT_SMF.1.1 The TSF shall be capable of performing the following management functions: [ Copyright 2013 Xerox Corporation. All rights reserved.
Page 53
Enable/disable and configure fax forwarding to email; and, Perform software self-test]. 6.3.6.10. FMT_SMR.1 Security roles Hierarchical to: No other components. Dependencies: FIA_UID.1 Timing of identification FMT_SMR.1.1 The TSF shall maintain the roles [U.ADMINISTRATOR (System Administrator), U.ADMINISTRATOR (Accounting Copyright 2013 Xerox Corporation. All rights reserved.
TSF: Immediate Image Overwrite]. FPT_TST.1.2 The TSF shall provide authorised users with the capability to verify the integrity of [the following parts of TSF data: Software Module version (configuration data); IP Filtering Tables]. Copyright 2013 Xerox Corporation. All rights reserved.
The TSF shall permit the TSF, another trusted IT product to initiate communication via the trusted channel. FTP_ITC.1.3 The TSF shall initiate communication via the trusted channel [communication D.DOC, D.FUNC, D.PROT, D.CONF over Shared-medium interface]. Copyright 2013 Xerox Corporation. All rights reserved.
Security Assurance Requirements; they are not iterated or refined from their counterparts in CC Part 3. Table 28: IEEE 2600.2 security assurance requirements Assurance Class Assurance Components ADV: Development ADV_ARC.1 Security architecture description Copyright 2013 Xerox Corporation. All rights reserved.
Security Target, that do not originate in IEEE Std. 2600.2-2009, have been added to these tables. Bold typeface items provide principal (P) fulfillment of the objectives, and normal typeface items provide supporting (S) fulfillment. Copyright 2013 Xerox Corporation. All rights reserved.
Purpose O.DOC.NO_DIS, Protection of User FDP_ACC.1(USER) Enforces protection by establishing an O.DOC.NO_ALT, Data from O.FUNC.NO_ALT unauthorized access control disclosure or policy. alteration FDP_ACF.1(USER) Supports access control policy by providing access control function. Copyright 2013 Xerox Corporation. All rights reserved.
Page 60
FMT_SMR.1 Supports control of security attributes by requiring security roles. O.USER.AUTHO Authorization of FDP_ACC.1(FUNC) Enforces authorization by RIZED Normal Users and Administrators to establishing an use the TOE access control policy. Copyright 2013 Xerox Corporation. All rights reserved.
Page 61
FMT_MSA.3(FUNC) Supports access control function by enforcing control of security attribute defaults. FMT_SMR 1 Supports authorization by requiring security roles. FTA_SSL.3 Enforces authorization by terminating inactive sessions. Copyright 2013 Xerox Corporation. All rights reserved.
Page 62
Verification of FPT_TST.1 Enforces verification of ERIFIED software integrity software by requiring self tests. O.AUDIT.LOGGE Logging and FAU_GEN.1 Enforces audit policies by authorized access to audit events requiring logging of relevant events. Copyright 2013 Xerox Corporation. All rights reserved.
Page 63
FAU_STG.1 Enforces the audit policies by preventing unauthorized modification or deletion. FAU_STG.4 Enforces the audit policies by preventing loss of newer audit trail data. FIA_UID.1 Supports audit policies by requiring user identification Copyright 2013 Xerox Corporation. All rights reserved.
ALC_FLR.2 encompasses all requirements of ALC_FLR.2 plus some additional requirements. ALC_FLR.3 ensures that instructions and procedures for the reporting and remediation of identified security flaws are in place and their Copyright 2013 Xerox Corporation. All rights reserved.
FCS_CKM.2 or FCS_COP.1 FCS_CKM.1 FCS_CKM.4 FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.2 FCS_CKM.1 FCS_CKM.4 FDP_ITC.1 or FDP_ITC.2 FCS_CKM.4 FCS_CKM.1 FDP_ACC.1(USER) FDP_ACF.1 Yes, FDP_ACF.1(USER) FDP_ACC.1(FUNC) FDP_ACF.1 Yes, FDP_ACF.1(FUNC) FDP_ACC.1 Yes, FDP_ACC.1(USER) FDP_ACF.1(USER) FMT_MSA.3 Yes, FMT_MSA.3(USER) Copyright 2013 Xerox Corporation. All rights reserved.
Page 66
In fact, these features are configured and, with the exception of IP Filter rules, cannot be modified by the system administrator other than to enable or disable them. It is for these reasons that the dependency on FMT_MSA.3 is not and cannot be expected to be met. Copyright 2013 Xerox Corporation. All rights reserved.
For this TOE, the restricted forwarding from the external interfaces to the network controller are architectural design features which cannot be configured; hence the dependencies on FMT_SMF.1 and FMT_SMR.1 are not met. Copyright 2013 Xerox Corporation. All rights reserved.
The definition of this reserved section is statically stored within the TOE and cannot be manipulated. Immediately Files are stored inside mailboxes. They may be deleted by their owner through individual file deletions or deletion of the mailbox. Copyright 2013 Xerox Corporation. All rights reserved.
Likewise, for fax interface to network interface (fax forwarding to email) jobs, the entire job must be Copyright 2013 Xerox Corporation. All rights reserved.
(a trusted remote IT entity). User credentials entered at the LUI or Web UI are authenticated at the server instead of the TOE. The network authentication services supported by the TOE are: smart Copyright 2013 Xerox Corporation. All rights reserved.
Application Note: For print and LanFax jobs not submitted from the Web UI, the network username associated with the logged in user at the client workstation will be recorded in the audit log. 7.1.6. Cryptographic Operations (TSF_FCS) FCS_COP.1, FCS_CKM.1, FCS_CKM.2, FCS_CKM.4 Copyright 2013 Xerox Corporation. All rights reserved.
IPv4 and IPv6; Kerberos and TLS for remote authentication. 7.1.10. Security Management (TSF_FMT) FDP_ACC.1 (USER), FDP_ACC.1 (FUNC), FDP_ACF.1 (USER), FDP_ACF.1 (FUNC), FIA_ATD.1, FMT_SMF.1, FMT_MSA.1 (USER), FMT_MSA.1 (FUNC), FMT_MSA.3 (USER), FMT_MSA.3 (FUNC), FMT_MTD.1 (MGMT1), FMT_MTD.1 (MGMT2), FMT_MTD.1 (KEY), FTP_TST.1 Copyright 2013 Xerox Corporation. All rights reserved.
Page 74
LUI or Web UI. The Web UI only allows deletion of jobs submitted via the Web UI. Deletion of a Secure Print job requires knowledge of the associated passcode. Copyright 2013 Xerox Corporation. All rights reserved.
Page 75
Also during initial start up, the version number of the software Copyright 2013 Xerox Corporation. All rights reserved.
Page 76
The system administrator can verify the integrity of the TOE software image through the Web UI using the software verification feature. Copyright 2013 Xerox Corporation. All rights reserved.
Enterprise: An operational context typically consisting of centrally-managed networks of IT products protected from direct Internet access by firewalls. Enterprise environments generally include medium to large businesses, certain governmental agencies, and organizations requiring managed telecommuting systems and remote offices Copyright 2013 Xerox Corporation. All rights reserved.
Page 78
Normal User: A User who is authorized to perform User Document Data processing functions of the TOE. Object: A passive entity in the TOE, that contains or receives information, and upon which subjects perform operations. Copyright 2013 Xerox Corporation. All rights reserved.
Page 79
TOE. SFR package: A named set of security functional requirements. Shared-medium interface: Mechanism for transmitting or receiving data that uses wired or wireless network or non-network electronic methods over a Copyright 2013 Xerox Corporation. All rights reserved.
Page 80
User Function Data: The asset that consists of the information about a user’s document or job to be processed by the HCD. Copyright 2013 Xerox Corporation. All rights reserved.
Internet Printing Protocol IPsec Internet Protocol Security Information Technology LDAP Lightweight Directory Access Protocol Line Printer Remote Local User Interface Multifunctional Device Multifunctional Product / Peripheral / Printer Nonvolatile Storage ODIO On-Demand Image Overwrite Copyright 2013 Xerox Corporation. All rights reserved.
Page 82
Public Switched Telephone Network Scan Security Function Policy Security Functional Requirement Shared-Medium Interface Secure Shell Security Target Standard Transport Layer Security Target Of Evaluation TOE Security Functionality TOE Security Policy Universal Serial Bus Copyright 2013 Xerox Corporation. All rights reserved.
[B3] IEEE Std. 100, The Authoritative Dictionary of IEEE Standards Terms, Seventh Edition, New York, Institute of Electrical and Electronics Engineers, Inc. IEEE publications are available from the Institute of Electrical and Electronics Engineers, 445 Hoes Lane, Piscataway, NJ 08854, USA (http://standards.ieee.org) Copyright 2013 Xerox Corporation. All rights reserved.